insufficient_ scope
Registry Context
Use insufficient_scope when a protected resource request requires higher privileges than the access token provides.
Technical Summary
RFC 6750 defines insufficient_scope as a bearer-token error code indicating that the access token does not provide the privileges required by the request.
When Used
When a protected resource request requires higher privileges than the presented access token provides.
Normative Requirements
Resource servers
RFC 6750 - Section 3
include the "scope" attribute more than once.
Condition: when including the "scope" attribute in the challenge
The "scope" attribute MUST NOT appear more than once.
RFC 6750 - Section 3
include characters outside %x21 / %x23-5B / %x5D-7E for scope values or %x20 for delimiters.
Condition: when including a "scope" attribute
Values for the "scope" attribute ... MUST NOT include characters outside the set %x21 / %x23-5B / %x5D-7E ... and %x20 for delimiters
RFC 6750 - Section 3
include the "error" attribute more than once.
Condition: when including the insufficient_scope error in the challenge
The "error" ... attribute MUST NOT appear more than once.
RFC 6750 - Section 3
include characters outside %x20-21 / %x23-5B / %x5D-7E in the "error" attribute value.
Condition: when including the insufficient_scope error in the challenge
Values for the "error" ... attributes ... MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.
RFC 6750 - Section 3
include the HTTP "WWW-Authenticate" response header field.
Condition: when the protected resource request does not contain an access token that enables access to the protected resource
the resource server MUST include the HTTP "WWW-Authenticate" response header field
RFC 6750 - Section 3
use the auth-scheme value "Bearer" for the challenge.
Condition: when issuing a challenge defined by RFC 6750
All challenges defined by this specification MUST use the auth-scheme value "Bearer".
RFC 6750 - Section 3
follow the "Bearer" auth-scheme with one or more auth-param values.
Condition: when issuing a Bearer challenge
This scheme MUST be followed by one or more auth-param values.
RFC 6750 - Section 3.1
respond with the HTTP 403 (Forbidden) status code.
Condition: when the request requires higher privileges than the access token provides
The resource server SHOULD respond with the HTTP 403 (Forbidden) status code
RFC 6750 - Section 3.1
include the "scope" attribute with the scope necessary to access the protected resource.
Condition: when the request requires higher privileges than the access token provides
MAY include the "scope" attribute with the scope necessary to access the protected resource
Validation Guidance
Confirm the response includes a WWW-Authenticate header when the presented access token does not enable access to the protected resource.
Confirm the challenge uses the Bearer auth-scheme followed by at least one auth-param.
If insufficient_scope is emitted, confirm the response status is 403; report a non-403 status as a SHOULD-level deviation.
If a scope attribute is present, confirm it identifies the scope necessary to access the protected resource.
Confirm the scope attribute appears no more than once and contains only the permitted characters.
Confirm the error attribute appears no more than once and its value contains only the permitted characters.
Reference
Details
- Entry Id
insufficient_scope - Name
insufficient_scope - Usage Location
resource access error response- Protocol Extension
bearer access token type- Change Controller
IETF- Reference
RFC6750